fix: production-readiness hardening from full-codebase review

Apply six isolated, low-risk fixes surfaced by the parallel
production-readiness review (backend, frontend, security, perf,
UI/UX, bugs+features).

Backend
- Mask access_token in provider GET responses and drop it on edit
  when carrying the *** placeholder — fixes plaintext leak of HA
  long-lived tokens (security H-1). Centralized via
  PROVIDER_SECRET_FIELDS so all call sites stay in sync (C-5).
- Hold HA status-change tasks in a module-level set with a
  done_callback — asyncio.create_task only keeps weak refs and
  the task could be GC'd before its row was written (C-1).
- Roll back the request session in the Telegram-webhook catch-all
  so a handler exception cannot leak uncommitted writes into the
  next request (C-2).
- Bail before reading the 1 MiB webhook body when the Gitea
  provider has no secret configured or the request has no
  signature header. For the generic webhook with bearer_token
  auth, verify the Authorization header before the body read.
  Closes the pre-auth resource-exhaustion amplifier (C-3).

Frontend
- Add supportsAutoOrganize capability to ProviderDescriptor and
  consume it from RuleEditor instead of `provider.type !== 'immich'`,
  bringing the last action-rule editor under CLAUDE.md rule 8
  (no provider-type hardcoding in components).
- Snackbar: add role="region" + per-toast role/aria-live/aria-atomic
  so screen readers announce success/error toasts.
- Sidebar nav: add aria-current="page" on the active link so the
  active state has an accessible name.
- New snackbar.region key in en + ru (locale parity preserved).

Out of scope for this commit (tracked in .claude/reviews/README.md
ship-blocker list): secret encryption at rest, JWT cookie move,
Alembic adoption, webhook idempotency, deferred-dispatch crash
window, persisted Telegram update watermark, bridge_self counter
lock — each needs more than a mechanical edit.

frontend/src/lib/components/Snackbar.svelte

@@ -32,12 +32,15 @@
 </script>
 
 {#if snacks.length > 0}
-	<div use:portal class="snackbar-container">
+	<div use:portal class="snackbar-container" role="region" aria-label={t('snackbar.region')}>
 		{#each snacks as snack (snack.id)}
 			<div
 				in:fly={{ y: 40, duration: 300 }}
 				out:fade={{ duration: 200 }}
 				class="snack-item"
+				role={snack.type === 'error' ? 'alert' : 'status'}
+				aria-live={snack.type === 'error' ? 'assertive' : 'polite'}
+				aria-atomic="true"
 				style="--snack-accent: {accentMap[snack.type]};"
 			>
 				<span class="snack-icon" style="color: {accentMap[snack.type]};">

frontend/src/lib/i18n/en.json

@@ -1141,7 +1141,8 @@
 	},
 	"snackbar": {
 		"showDetails": "Show details",
-		"hideDetails": "Hide details"
+		"hideDetails": "Hide details",
+		"region": "Notifications"
 	},
 	"timezone": {
 		"searchPlaceholder": "Search cities or IANA codes…",

frontend/src/lib/i18n/ru.json

@@ -1141,7 +1141,8 @@
 	},
 	"snackbar": {
 		"showDetails": "Показать детали",
-		"hideDetails": "Скрыть детали"
+		"hideDetails": "Скрыть детали",
+		"region": "Уведомления"
 	},
 	"timezone": {
 		"searchPlaceholder": "Поиск по городам или IANA-кодам…",

frontend/src/lib/providers/immich.ts

@@ -13,6 +13,7 @@ export const immichDescriptor: ProviderDescriptor = {
 	icon: 'mdiImageMultiple',
 	hasUrl: true,
 	urlPlaceholder: undefined, // uses generic i18n placeholder
+	supportsAutoOrganize: true,
 
 	configFields: [
 		{

frontend/src/lib/providers/types.ts

@@ -196,6 +196,15 @@ export interface ProviderDescriptor {
 	/** Whether this provider stores incoming payload history for debugging. */
 	payloadHistory?: boolean;
 
+	// ── Capability flags ──
+	/**
+	 * True when the provider exposes asset/people/album endpoints that the
+	 * Auto-Organize action rule editor needs to render its people / album
+	 * pickers (currently only Immich). Used in place of `type === 'immich'`
+	 * checks per CLAUDE.md rule 8.
+	 */
+	supportsAutoOrganize?: boolean;
+
 	// ── Tracker-form discovery hint ──
 	/**
 	 * Optional info banner shown on the TrackerForm to point users at related

frontend/src/routes/+layout.svelte

@@ -499,6 +499,7 @@
 									<a
 										href={child.href}
 										class="nav-link nav-link-child group flex items-center gap-2 px-2.5 py-1.5 rounded-lg text-sm transition-all duration-200 relative {isActive(child.href) ? 'active' : ''}"
+										aria-current={isActive(child.href) ? 'page' : undefined}
 									>
 										{#if isActive(child.href)}
 											<div class="active-indicator" style="position: absolute; left: -13px; top: 50%; transform: translateY(-50%); width: 3px; height: 60%; border-radius: 0 3px 3px 0; background: var(--color-primary); box-shadow: 0 0 8px var(--color-glow-strong);"></div>
@@ -518,6 +519,7 @@
 							href={entry.href}
 							class="nav-link group flex items-center gap-2.5 {collapsed ? 'justify-center px-2' : 'px-3'} py-2 rounded-lg text-sm transition-all duration-200 relative {isActive(entry.href) ? 'active' : ''}"
 							title={collapsed ? t(entry.key) : ''}
+							aria-current={isActive(entry.href) ? 'page' : undefined}
 						>
 							{#if isActive(entry.href)}
 								<div class="active-indicator" style="position: absolute; left: 0; top: 50%; transform: translateY(-50%); width: 3px; height: 60%; border-radius: 0 3px 3px 0; background: var(--color-primary); box-shadow: 0 0 8px var(--color-glow-strong);"></div>

frontend/src/routes/actions/RuleEditor.svelte

@@ -7,6 +7,7 @@
 	import IconButton from '$lib/components/IconButton.svelte';
 	import EntitySelect from '$lib/components/EntitySelect.svelte';
 	import MultiEntitySelect from '$lib/components/MultiEntitySelect.svelte';
+	import { getDescriptor } from '$lib/providers';
 	import type { ActionRule } from '$lib/types';
 
 	let { actionId, actionType, providerId }: { actionId: number; actionType: string; providerId: number } = $props();
@@ -54,7 +55,9 @@
 	async function loadProviderData() {
 		if (actionType !== 'auto_organize') return;
 		const provider = providersCache.items.find((p: any) => p.id === providerId);
-		if (!provider || provider.type !== 'immich') return;
+		if (!provider) return;
+		const descriptor = getDescriptor(provider.type);
+		if (!descriptor?.supportsAutoOrganize) return;
 		try {
 			const [p, a] = await Promise.all([
 				api<any>(`/providers/${providerId}/people`),
@@ -63,7 +66,7 @@
 			people = Array.isArray(p) ? p : [];
 			albums = Array.isArray(a) ? a : [];
 		} catch {
-			// People/album endpoints may not exist yet — degrade gracefully
+			// People/album endpoints may not exist yet — degrade gracefully
 		}
 	}